UK: TPR's General Code Of Practice: Administration

Introduction

The Pensions Regulator's General Code of Practice (the Code) took effect on 28 March 2024.

Among other things, the Code sets out the Pensions Regulator's expectations in relation to scheme administration, including how trustees should monitor a scheme's data, contributions, cyber risk and processing financial transactions.

The digital version of the Code is now available on the Pensions Regulator's website, and this is integrated with the remaining 6 Codes of Practice that were not part of the consolidation.

This briefing sets out:

• Further details on what the Administration section of the Code covers and what has changed from previous Codes issued by the Regulator.
  
  
• Key areas of focus for the Regulator regarding scheme administration.
  
  
• Practical steps that trustees can take to develop their effective system of governance (ESOG) on administration matters.

The Code consolidates and replaces 10 former Codes of Practice, and this briefing forms part of a series which will also cover the other sections of the Code (Governing Bodies and the Effective System of Governance, Funding and Investment, Communications and Disclosure, and Reporting to the Regulator).

Administration: overview

What do the Administration modules cover?

The modules in the Administration section of the Code set out details of many of the "internal controls" that the Regulator expects trustees to have as part of their ESOG.

The Administration section of the Code covers a broad range of topics relating to the day-to-day operation of a pension scheme, such as processing financial transactions (including payment of contributions and transfers out), record-keeping and data monitoring.

There is new content on the maintenance of IT systems and cyber controls, giving additional weight to the increasing focus on cyber security by the Regulator.

Some of the other content in the Administration section of the Code will be familiar from former Codes (in particular Code 5 (Reporting late payments) and Code 13 (Administration of DC schemes)), for example in the modules concerning processing of financial transactions and monitoring contributions. Other modules, such as data improvement, record-keeping and transfers out also draw on former Codes, but have been significantly expanded or updated to reflect more recent developments such as the 2021 transfer conditions regulations regarding pension scam 'flags'.

The Code states that administration should be included as an agenda item at trustee board meetings and an important point on the scheme risk register.

Generally, we would not expect the Code to lead to major overhauls of administration processes for schemes that are already well-run. This is because many of the areas covered in the Administration section of the Code, such as expectations for processing core financial transactions, already form part of the normal day-to-day operation of schemes and as such may already be covered in administration agreements and processes (where administration has been outsourced) or administration manuals.

That said, in some cases existing administration documents and processes may need to be reviewed to consider whether they are up to date in light of the expectations set out in the Code. This could take place as part of a scheme's broader "gap analysis" for compliance with the Code. For example, in the section on transfers out the Code summarises the relevant legislative requirements, including the 2021 transfer conditions regulations on pensions scams 'flags', which schemes should already be complying with but also notes that schemes should be reporting suspected illegitimate arrangements to Action Fraud.

Trustees should also consider whether their contractual terms with their administrators include suitable reporting obligations to enable them to meet the administration monitoring expectations under the Code.

There are also some areas where the Code states that trustees should have written policies or processes which may not currently be documented in a formal way. For example, the Code states that trustees should "develop a strategy for the long-term administrative objectives of the scheme" and to agree a process for delivering this strategy with the administrator. It is also expected that the performance of third-party administrators is reviewed regularly, with procedures in place to ensure consistent service in the event of a change of administrator.

Although this type of review and strategic planning activity may well already be taking place in many schemes in practice, some schemes may find they need to document these types of policies and processes more formally in order to be able to demonstrate that they have an effective system of governance (ESOG). Gap analysis can be helpful tool to identify where this is needed.

Actions: Review where processes and standards relating to scheme administration are currently documented and consider whether these need to be updated and expanded to meet the Regulator's expectations set out in the Code (i.e. ensure that ESOG gap analysis incorporates administration matters).

Financial transactions, transfers out and contributions

Financial transactions

The Code states that governing bodies of all schemes should ensure financial transactions are managed as part of their internal controls.

All schemes undertake a variety of financial transactions, including processing contributions, benefits and transfers. DC schemes are under a specific statutory obligation to process "core" financial transactions promptly and accurately (this includes investing contributions and processing transfers and benefit payments).

The Code recognises that the management of financial transactions should be proportionate to the nature, complexity and activity of the scheme. The Regulator's expectations include that trustees should:

· Understand the procedures and controls the administrator operates to ensure that financial transactions are processed promptly and accurately.

· Make sure that authorisation processes for financial transactions do not cause undue delay.

· Annually review processes and systems for financial transactions and identify opportunities to improve them.

· Review performance of the processing of financial transactions against SLAs.

Transfers out

The Code provides a high-level overview of the statutory transfer requirements, including the checks required to be carried out in relation to transfer out conditions (red and amber flags and pensions safeguarding guidance), the separate need for governing bodies of DC schemes to explain the availability of Pension Wise guidance to members, and applicable deadlines.

Governing bodies of DB schemes are expected to monitor the impact transfer requests could have on scheme funding and liquidity. For DB to DC transfers, they should ensure they carry out appropriate checks in relation to the need for members transferring benefits valued at £30,000 or more to take appropriate independent financial advice and keep relevant records (including the evidence that the firm providing the advice had the relevant regulatory permissions to provide the advice at the time and details of when this check was conducted and by whom). The Code highlights that trustees should be aware of the risks of pension scams in relation to transfer activity.

It's likely that most schemes will already have checks and processes in place in relation to transfer requests to ensure compliance with the statutory transfer conditions and deadlines. In our experience many schemes reviewed their processes following the introduction of the new transfer conditions regulations in 2021. However, some trustees may wish to further review their approach to monitoring transfers and keeping records of transfers to consider whether they meet the expectations set out in the Code.

Contributions

The Code modules relating to contributions include governing bodies' responsibilities regarding monitoring contributions and resolving overdue payments. In addition to ensuring that contributions are paid to the scheme in accordance with a scheme's governing documents, statutory funding documents (such as the schedule of contributions) and applicable law, trustees should be able to monitor, quickly identify and pursue any missing contributions. They should maintain records of any such missing contributions and related recovery activities.

The Code states that governing bodies should develop and maintain a contributions monitoring record to enable them to check whether payments have been made on time and in full. Where a payment failure is identified, a typical process for rectifying this should involve:

· Contacting the employer to resolve the payment and attempting to find out the cause and circumstances of the payment failure.

· Considering any wider implications and whether the failure is part of a pattern of systemic failure.

· Taking steps to ensure any future recurrence is avoided.

There is a separate Code module regarding reporting certain material payment failures to the Regulator. We will cover reporting to the Regulator in a separate briefing, but the Code notes that operating a contributions monitoring record and a process (as described above) for resolving overdue contributions will help trustees decide whether a payment failure must be reported to the Regulator and scheme members.

Actions:

• Ensure the management of financial transactions is part of the scheme's internal controls.
  
  
• Review transfer request processes to ensure approach to monitoring and record-keeping remains appropriate.
  
  
• Develop a contributions monitoring record including the relevant information to ensure any payment failures can be quickly identified.
  
  
• Consider design of the process to be followed in the event of a payment failure.

Data monitoring and improvement

Record-keeping

The majority of the content of the Code relating to record-keeping should be familiar to trustees and others involved with schemes as forming part of the ordinary day-to-day activities of running a scheme. It outlines the statutory requirements relating to keeping records of scheme transactions and trustee meetings and decisions. It also sets out expectations relating to accuracy and retention of scheme records, as well as ensuring there are administrative systems in place to provide members with accurate information about their benefits. Processes should be in place to enable employers to provide timely and accurate data to the scheme. Whilst Schemes should review their existing record keeping approach in light of the Code, in many cases they may find that major changes are not required.

Data reviews

The Regulator's focus on driving improvements in data quality has been clear for some time; schemes will be familiar with the common and scheme-specific data reporting required to be completed as part of the scheme return. Good data will also be vital for effective compliance with the upcoming pensions dashboards requirements. It therefore comes as no surprise that the Code sets out clear expectations for trustees when it comes to monitoring, reviewing and seeking to improve scheme data.

As well as outlining expectations that scheme data is monitored on an ongoing basis and ensuring the governing body receives information about any material data gaps or errors, the Code states that trustees should assess the need for a data review exercise at least annually, with the possibility of additional reviews in response to significant scheme events (e.g. winding-up or change of administrator). Trustees should keep records of such reviews and their findings, with data improvement plans put in place to address identified issues.

In our experience, whilst various forms of data review exercises are commonly carried out by trustees at appropriate times in accordance with a scheme's strategic planning activities, not all trustee boards will conduct a formal annual assessment regarding whether such an exercise is needed.

The Code also expects governing bodies to maintain consistent and fair policies for situations where data cannot be corrected, for example due to age or loss of records. This is an area we are seeing many trustee boards grapple with, such as in the context of GMP equalisation or other benefit correction or data cleansing exercises. Maintenance of such policies is therefore likely to benefit trustees in a variety of contexts.

Actions: Some practical points for trustees to consider for complying with the expectations in the Code:

• Review scheme systems and processes relating to the retention and accuracy of scheme records to ensure compliance.
  
  
• Ensure record-keeping is included in the risk register.
  
  
• Ensure there are policies in place for monitoring data accuracy on an ongoing basis.
  
  
• Assess the need for a data review exercise at least annually or otherwise in response to significant scheme events.

Data protection and cyber controls

Data protection

As part of meeting the Code's expectations for data monitoring and improvement referred to above, governing bodies should have processes in place for protecting scheme data. This includes complying with their obligations under data protection law and having processes in place to address any breaches. In our experience, most trustees will have given considerable thought to data protection policies and response plans in response to GDPR, but these should be regularly reviewed and, if necessary, updated to ensure they remain appropriate.

Cyber controls

The Code acknowledges the significant crossover between cyber risk and data protection, noting that properly functioning cyber controls will assist governing bodies in complying with data protection obligations and could mitigate the impacts of a data breach.

However, it is important to recognise that the two topics are distinct and trustees should treat them as such: it is not always the case that a cyber incident will result in a personal data breach, nor that a personal data breach will always be the result of a cyber incident. For example, a cyber incident could result in disruption to the processing of financial transactions, even if this does not result in a personal data breach.

Trustees should therefore ensure they consider cyber risk in its own right. This should include having a cyber incident response plan (with clearly defined role and responsibilities to identify and respond to cyber breaches) and other cyber security policies as necessary. This should include policies for the use of devices and home working. Given that, in practice, many individual trustees and trustee directors not employed by scheme sponsors use personal devices to conduct trustee business, this is an important area that trustee boards should seek to address.

Actions:

• Document and review policies in relation to data protection and cyber security (including appropriate incident response plans).
  
  
• Consider carrying out scenario planning or incident response exercises that deal with different types of potential data protection or cyber incident (such as a data breach or a fraudulent access to a key payment system).

Maintaining IT systems

Schemes will typically rely on external service providers for their IT infrastructure. However, schemes should (as part of the obligation to have an ESOG including internal controls) have internal controls which ensure that IT systems are able to meet the scheme's needs and legal requirements.

The Code sets out the standards the Regulator expects for maintaining IT systems. These include functioning cyber security measures, regular back-ups of scheme and member data, and appropriate hardware and personnel resources.

Governing bodies should take steps to make sure their service providers meet the Regulator's expectations for maintaining IT systems, including challenging providers and pushing for improvements where necessary. Where trustees do not have the technical expertise to assess whether service providers are meeting the Regulator's expectations, they should seek appropriate specialist advice and may be able to seek the support of the scheme sponsor in doing so (see the Knowledge and understanding section below).

Actions: Consider whether the scheme's internal controls include provision for assessing IT systems of service providers (including seeking technical input where necessary).

Knowledge and understanding

While the Code has a specific knowledge and understanding (TKU) module (TPR's General Code: Governing Bodies and the Effective System of Governance | Travers Smith), the Administration section of the Code also highlights certain additional specific areas where the Regulator says trustees should have appropriate levels of TKU. This includes:

· maintaining sufficient knowledge and understanding of administration; and

· ensuring trustees have knowledge and understanding of cyber risk and of their obligations under data protection law.

Trustees should consider these expectations in the context of their particular scheme. For example, where trustees have outsourced day-to-day scheme administration to a third-party provider, trustees will need to have sufficient TKU to appropriately interrogate any reports provided by the scheme administrator.

Where reports from third-party service providers cover technical areas such as cyber controls and business continuity plans, the Code states that trustees should ensure they have access to the necessary specialist skills and expertise to help evaluate these, either within the board itself or with external support. Some schemes may be able to engage with their sponsoring employer to explore whether the employer's internal technology specialists or providers could assist the trustees in this regard.

Cyber security is an area where, in particular, we are seeing trustee boards being able to leverage cyber security training and expertise provided by the scheme sponsor in the context of its own business, supported by external professional advice as needed.

Actions: Some practical points for trustees to consider for complying with the expectations in the Code:

• Consider undertaking trustee training on the expectations of the Code relating to administration, data protection and cyber security.
  
  
• Ensure there is access to appropriate specialist expertise in technical areas where appropriate (e.g. cyber security).

Complying with the Code

Although the Code is not legally binding, it can be used in legal proceedings as evidence in support of a claim of non-compliance with a legal requirement. The Regulator may also cite its expectations, as set out in the Code, when taking enforcement action. Our early experience is that many schemes are therefore actively allocating time and resources to making sure they are complying with the Code. Schemes may want to consider the extent to which their existing policies, processes and governance structures already meet the expectations of the Code, and whether there are other areas that may need updating or documenting more fully.

In our briefings, we use the language "should" to refer to the Pensions Regulator's expectations of trustees as set out in the Code. However, the Code states that trustees should "use their judgement as to what is a reasonable and suitable method for ensuring compliance for their scheme". As noted in previous briefings, legislation states that ESOGs must be "proportionate" to the scheme's "size, nature, scale and complexity of [its] activities". Consequently, there is a degree of flexibility for schemes in their approach to the Code by thinking about what is reasonable and proportionate in their relevant circumstances. We have not included in this briefing the aspects of the Code applicable to public service pension schemes.